Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5355
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Ken Hornstein <kenh@cmf.nrl.navy.mil> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Why do "strict acceptor checking"? |
| Date | Mon, 07 Oct 2024 20:23:28 -0400 |
| Organization | TNet Consulting |
| Lines | 20 |
| Message-ID | <mailman.126.1728347015.2322.kerberos@mit.edu> (permalink) |
| References | <202410080023.4980NSGB010697@hedwig.cmf.nrl.navy.mil> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset="us-ascii" |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="27099"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| To | kerberos@mit.edu |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=NRj7Y7ph |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=owB+wzDrsK7U+y0JSrx2Pk0Q9SvD4Ccl4Z1FK6nZ1Jy6UmGSyaPdH2ydiCG2GbjQdJrsrzaSGNiAn0AsW3KNIu5JxEaU9qjFHKZcKOnzxx25Cr2yr7lzt63LGqNFmR9BidXUTz2xIZxAufs2kjijkyY98aZSCFArr4vPH5mGlofKpCHX2BzmLanDPSyUOXerYuX9Nin9tQ8GlpQ3VtccL3BXwW2ID74Lrhc1b6dOtxr3Xg64fF0aoMJCIphEpEHzEfhyTiz+p/e/1uP0Ac5/R17GHNunZeX5IZwTT3/wORX/PE1L/Pp5i8IxyfiKvCDXZedrov+GKpqu3G40Lz/i/A== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=b7ahA1eksRMpncp0FHY3RltPuUUzONdHo6VQfotNg5U=; b=jJgOM7hOP+9grHYoFuLTSEKqlja9ocCUB/9gf37eVkoRFAfGTRkDIlBLQgyNK9Y3xhaafDnFBsRZdB6K9lT+VC4sZyq2SL1JunoxX1rSg2bA9JkwaODN6sfM7BYnxekF9jTCno8NkkVjZV5EbHNKq/MjHxPA72OlsNz8kfDPUca9lyFU/AuniaZOuEH2eFI9avTvsqx61qADHT+HV3Yi9LBG/87y/6+/VpiRBhXgFBNsC1Fak/tUQrI1133rC/u6Rf9y0ZY2sRiaFnfO+TTbObYLgpPSasa1m0EnfsM2qthxhP4xrOqV5g4if6M2LmWoSoTfdDv3su//MtTIGHF0LA== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=cmf.nrl.navy.mil; dkim=none (message not signed); arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b7ahA1eksRMpncp0FHY3RltPuUUzONdHo6VQfotNg5U=; b=NRj7Y7ph80S6EvIZDLsMFWMk1XpZQ+oGLvOhcV1T6+wr472tdGILc8z/aNpoOwMX2i/2Hh/QljsRhiwl99O1ay4sZVJW0yT3dWssAkNNLjgEdbCwJYB/Hmjsh3xgqoBN3Q/hfrsz/XX6YMJKDMwPUHU4FTBpv/kFKv6+ZGnaYY8= |
| Authentication-Results | spf=pass (sender IP is 140.32.61.234) smtp.mailfrom=cmf.nrl.navy.mil; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=cmf.nrl.navy.mil; |
| Received-SPF | Pass (protection.outlook.com: domain of cmf.nrl.navy.mil designates 140.32.61.234 as permitted sender) receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil; pr=C |
| X-Face | "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e` |
| X-NRLCMF-Spam-Score | () hits=0 User Authenticated |
| X-NRLCMF-Virus-Scanned | |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | CO1PEPF000044EF:EE_|SN7PR01MB7972:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | d4750c35-56c8-49b6-b708-08dce72f6fee |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; ARA:13230040|376014|48200799018|9140799003|61400799027; |
| X-Microsoft-Antispam-Message-Info | DWUk+SgiUwY2Mq9ZRbrYLA9TG/5G4e+LcDeGWQQoZn9hhY8d7Qz5Fe2NlYeCWVRsOk9X1OwMNaThuHQ79/RFW3r/z2JSuTZPnjMjP/8oVkz75iSXa1PlF1jmOKOgwwR7Wai4Rwn25AJIUD0SjLOHY80F/+TtrmIzj584IJYjqtYtZwWcd9maJj11kwfa3Tc3Qdyj5oWEfnrwqXo3bJyvtrVkRaRJhC15+UmVFZk+s3qVD23Y5SkX2VCf9Z8MbQXmIhMVluz07P4sIxEYUsyFODqyYYoaVAmqno+liS6y+FYGGdKvD08j0Ys1PSOlYr63aU/b1kGlpCr2KPV/k5WZfPSmJjGL+XiyPwr8fsR/XbDhNOprBWkuw3PbhVVIgP79ddX4Xce0xp5J3PCd78bBaxDihrSj6zzpG2NSD4Ii/DItXXG64V3VGpD4gDycCAGzp05mEXA4FE7x/TZjK0O+8GzasYV3QyQoPc8fBQm8rbsgoPZguTburMLRlCrwzxM3I78KAHhiVJ+dKr1aO87w12mgAThnOsPEZvXcDLnkt8J+gVlcR6JIldMVUtLU2uoCYCUhw5cg13C1JFWt4gi/2LagMEs4H2w/PM6TRmgqTrORwPgPHDN0+J1gsW8uZBIPnsRtxoREEOiVdJ2EGunZU0b3lkIevrEFDICibudkCHboro56BlIao9sHOkJj5jXMaG+L7Ssoq87WBpcuP4M2yo9Ks4ynshH8tzwY73LAV804oCFApD8G+qOuS/99ZUVTswBvg0h1n6UjV1pskZdUG8Yd6dHXdDXCeAPt3GQLQ4/VUviIH00ricHibxPI8IqxNhjuvnGsaofkwKYpKm+hPAn8Odt4qs2Bemn8TEI60knvbMfOr2maVcdrGRcrRuNIC9QpexZ5r2YblNBRxO8+x10GPYBGsvaO0E+w6HH/j3xLTD9mPSML8X32shDPQx8oeB5fpgOaEOKrMAc7wUrSdGaR072Be2h3EORLZa2BFKmv8Rr8rpudubZwIs3VzKnNgweRQM0exyS1RgMpljTTEUeLVTKs7v399hsYSUbuvpDyyljdOGDBFHJIgjYdp236ErVVPOl06CLu8OAP69bibB0oPFvjZHskpScU/wOagQcXYG82PkGgWryLafjhpnwXb2IVP8AsFMgAKCuG5JZIsrr7BvgFwBrrQMmmv4Lv3cab6elOcrKPMRPAFWFtNGbi1TVUn2JYUARrKfpoMCpD0aQ4mwOUB+NeLxAi47WXGfavzBAMV8WdKbOeH5tzrJG9xveLo3Mp7vMVBZFxgy6NqWKz7pr6g4HD1MrrzwJ2kO5S9RXNeRRsYaJ8Bm/KiP6vo2xyrwiF71HU/g6v3ti3/3uaJcpfi7SjxAqVqj5ulCU= |
| X-Forefront-Antispam-Report | CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE; SFS:(13230040)(376014)(48200799018)(9140799003)(61400799027); DIR:OUT; SFP:1102; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 08 Oct 2024 00:23:30.5756 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | d4750c35-56c8-49b6-b708-08dce72f6fee |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | CO1PEPF000044EF.namprd05.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | SN7PR01MB7972 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <202410080023.4980NSGB010697@hedwig.cmf.nrl.navy.mil> |
| Xref | csiph.com comp.protocols.kerberos:5355 |
Show key headers only | View raw
Twice this week I have helped other sites deal with issues related to "strict acceptor checking" (the programs in question were sshd and sudo). Both of these programs explicitly have code that constructs a service name based on the value of gethostname() and thus will only accept a service ticket for that name regardless of what's actually in the keytab, and this fails in a number of complicated multihomed networking situations (sudo does this for the service principal passed to krb5_verify_init_creds()). At least in the case of sshd there is an explicit knob to turn this off. However, this has made me wonder: why do this at all? What is the possible security gain here? It's not the default in the code; you have to explicitly write code to enable this behavior. But I can't really think of a case where NOT having strict acceptor checking is a security problem; I could maybe squint and envision some kind of weird hosted server setup where it might matter, but I'm not sure that is ever done in the real world. I will admit it is entirely possible I am missing something; if I am, I'd sure like to understand what I am missing. --Ken
Back to comp.protocols.kerberos | Previous | Next | Find similar
Why do "strict acceptor checking"? Ken Hornstein <kenh@cmf.nrl.navy.mil> - 2024-10-07 20:23 -0400
csiph-web